[00:01.800 --> 00:08.800]  Hello, hello everyone. This is Erdener. I'm here with my colleague Gökberk.
[00:08.880 --> 00:10.240]  Hi.
[00:11.640 --> 00:18.320]  Thanks for joining our session. We are very excited to be part of the Red Team Village this year.
[00:18.720 --> 00:25.320]  The title of our session is Executing Red Team Scenarios with Built-in Scenario Plays.
[00:27.040 --> 00:31.500]  First of all, let's start with introducing ourselves a little bit.
[00:32.700 --> 00:40.300]  Hi everyone. I am Gökberk. I am a Penetration Tester and Red Team Operator.
[00:40.300 --> 00:47.740]  I have worked across a variety of industries, including financial service and government service.
[00:47.820 --> 00:54.720]  Currently, I am working as an Offensive Security Engineer at an industry-leading bank.
[00:54.720 --> 01:01.860]  I plan and conduct full-scope Red Team engagements that simulate realistic and targeted attacks.
[01:02.660 --> 01:10.940]  Also, I am responsible for performing host infrastructure penetration testing, web and mobile application testing,
[01:10.940 --> 01:17.040]  social engineering engagements, source code reviews, and wireless penetration tests.
[01:17.040 --> 01:28.000]  In the past, I have given several presentations on malware analysis, Red Team operations, exploit development, and IoT security.
[01:29.560 --> 01:39.060]  Thank you Gökberk. And my name is Erdener. I have about 10 years of experience in IT and information security.
[01:39.060 --> 01:46.780]  During this time, I had a chance to work at research institutes, a Fortune 100 company, and a bug bounty company.
[01:47.040 --> 01:53.380]  I took roles in development teams in security operations and application security teams
[01:53.640 --> 02:01.240]  that are focused on security tool development, penetration testing, and vulnerability assessments.
[02:01.340 --> 02:05.300]  Currently, I am working as an Application Security Engineer.
[02:06.400 --> 02:13.480]  Today, we are going to talk about our tool called Red Team Built-in Scenario Place,
[02:14.520 --> 02:17.400]  also called Manticore platform.
[02:17.500 --> 02:24.880]  We are going to demonstrate how to execute some adversary emulation scenarios like ransomware attack with this tool.
[02:24.880 --> 02:30.820]  We'll start the discussion with a brief introduction to what MITRE ATT&CK framework is,
[02:30.820 --> 02:36.240]  then we'll discuss the challenges concerning adversary emulation and its relation tools
[02:36.240 --> 02:42.220]  to show a little bit about why we needed to build, why we wanted to build such a tool,
[02:42.220 --> 02:47.040]  and later we'll talk about the features of this open source scenario place.
[02:48.520 --> 02:56.080]  Through the end, we'll demo the tool, and we are going to show the user interface, some scenario cards on it,
[02:56.080 --> 03:03.400]  and we'll execute some sample scenarios like APT29, LOL beans,
[03:03.400 --> 03:08.180]  and a simplified ransomware scenario using the command line client.
[03:08.180 --> 03:10.980]  Finally, we'll finish with the feature work.
[03:12.220 --> 03:14.140]  All right, let's start.
[03:14.780 --> 03:24.180]  So, as we all know, Red Team activities are one of the fastest developing solutions against today's cyber attacks.
[03:24.180 --> 03:30.380]  And recently, the number of tools that propose to help Red Teams is increasing quite rapidly.
[03:30.520 --> 03:37.360]  And following this trend, we have also created an adversarial emulation tool for Red Teams.
[03:37.360 --> 03:45.420]  This is an open source tool, and its aim is to aid a Red Team to execute several types of attack scenarios.
[03:45.420 --> 03:52.800]  It also gives more visibility to the Blue Teams to see what's being executed on their endpoints,
[03:52.800 --> 03:59.300]  or what malicious traffic is going through their network during a Red Team exercise.
[03:59.300 --> 04:06.590]  So the initial version of this tool was presented at the previous Red Team Village event back in May.
[04:07.040 --> 04:12.630]  And since then, it has been improved with scenarios, and it has been published on GitHub.
[04:13.700 --> 04:23.420]  Basically, we have categories of scenarios as network-based, endpoint-based, and APT group-based.
[04:23.420 --> 04:31.580]  And there is also a section for Blue Team techniques, showing some hardening controls related to executed scenarios.
[04:32.360 --> 04:38.220]  You can find the GitHub repository link on the slide here.
[04:38.220 --> 04:49.740]  All the scenarios inside the repo that we are releasing are mapped to the MyTrace attack framework.
[04:49.740 --> 04:55.260]  And the techniques and the tactics can be found in this framework.
[04:55.260 --> 04:58.060]  I will talk about the framework in a minute.
[04:58.280 --> 05:07.500]  You will see the reference numbers, the attack IDs of the scenarios, of the techniques,
[05:07.500 --> 05:13.400]  inside the configuration files for each scenario if you go to the GitHub repository.
[05:13.400 --> 05:16.100]  But we will go into detail about this.
[05:17.300 --> 05:21.620]  So, what is MyTrace attack framework?
[05:21.620 --> 05:26.960]  For those of you who see this for the first time, let me briefly explain it.
[05:27.180 --> 05:38.180]  When you visit this website, attack.mytr.org, you see a matrix of items called attack matrix of enterprise.
[05:39.660 --> 05:42.840]  The columns of this matrix are tactics.
[05:42.840 --> 05:47.220]  And tactics are mainly the objective of the attack attempt.
[05:47.420 --> 05:51.060]  The goal that an attacker tries to achieve.
[05:51.060 --> 05:56.100]  So you can see 12 columns here.
[05:56.100 --> 06:00.200]  Each of them represents an attack goal.
[06:01.140 --> 06:05.320]  And under each attack goal, there are techniques.
[06:05.320 --> 06:09.420]  And each of these techniques has an attack ID with it.
[06:09.420 --> 06:13.740]  So in total there are 12 tactics listed in MyTrace.
[06:13.740 --> 06:19.760]  And these tactics have around 250 different techniques.
[06:19.940 --> 06:26.960]  This framework is a great knowledge base classifying these adversary tactics and techniques
[06:26.960 --> 06:32.280]  that are used to attack targets in real life.
[06:32.280 --> 06:36.680]  Of course, this framework is not only beneficial for red teamers,
[06:36.680 --> 06:42.420]  but also organizations are also benefiting from it to learn about the attack methods.
[06:43.440 --> 06:48.720]  And the framework is open to any person and organization for use at no charge.
[06:49.020 --> 06:56.120]  And just like how OWASP's top 10 framework is being embedded in most application security tools,
[06:56.440 --> 07:05.340]  a great resource like this one is becoming a fundamental reference of red teams and adversarial emulation tools.
[07:06.500 --> 07:11.080]  So our open source tool is no exception for this.
[07:11.660 --> 07:19.240]  And as I said, there are 12 tactics almost chronologically starting with the initial access
[07:20.060 --> 07:24.380]  and going to the impact goal of an attack.
[07:24.380 --> 07:30.380]  So in the initial access part, the attacker is trying to penetrate the targets.
[07:30.880 --> 07:37.200]  And then comes the execution, when the attacker is simply trying to run a malicious code.
[07:38.360 --> 07:43.160]  And the list goes on actually, I'm not going to details a lot.
[07:43.600 --> 07:50.400]  Just to see some examples for techniques, let's take the execution tactic.
[07:50.400 --> 07:57.700]  So for the execution tactic, there are 10 techniques listed underneath it.
[07:57.700 --> 08:01.580]  Some of these have some subcategories as well.
[08:02.020 --> 08:09.600]  The techniques listed here are about the methods that an attacker can use to run code,
[08:09.600 --> 08:16.320]  basically execute a code on a local or remote system to reach their main objective.
[08:16.320 --> 08:23.940]  This execution tactic is also often interconnected with other tactics.
[08:23.940 --> 08:30.600]  For example, as a red teamer, your execution technique of using command and scripting interpreter
[08:30.900 --> 08:37.860]  could be running a PowerShell script to perform a file download from a remote server
[08:37.860 --> 08:41.680]  that will be used for the discovery goal.
[08:41.680 --> 08:47.980]  So it would be related to the discovery goal in that sense.
[08:47.980 --> 08:51.460]  You can check out the market's website for more details,
[08:51.460 --> 08:56.720]  and we have seen that there are many great talks in the program about this framework,
[08:56.720 --> 09:01.980]  and we suggest that you check them for getting more insights about it.
[09:01.980 --> 09:08.740]  We just tried to mention the technique and tactic idea here,
[09:08.740 --> 09:10.960]  how we mapped it in our tool.
[09:11.680 --> 09:21.600]  Next, the offensive teams have some common exercises like vulnerability assessments,
[09:21.600 --> 09:25.080]  penetration testing, and adversary emulation.
[09:25.080 --> 09:31.420]  Skipping the first two, the last one, adversary emulation is what we focus actually right now,
[09:31.420 --> 09:35.680]  and it's an activity where red teamers, as the name refers,
[09:35.680 --> 09:42.600]  try to emulate or imitate how an adversary performs during a real-life attack.
[09:42.760 --> 09:48.380]  The platform we'll demo here is focused on adversary emulation, as I've said,
[09:48.380 --> 09:51.960]  performed inside the network of an organization.
[09:51.960 --> 09:56.820]  So in a way, you can think that initial access tactic has been achieved,
[09:56.820 --> 09:59.900]  and we are moving on to the other tactics.
[09:59.900 --> 10:07.580]  Therefore, we can say that this tool will be most useful for internal red teams or purple teams.
[10:08.280 --> 10:14.540]  Now let's discuss some issues faced with adversary emulation,
[10:14.540 --> 10:18.780]  and what we want to see with this tool.
[10:19.300 --> 10:23.400]  So, it's not going to be an answer to all these problems,
[10:23.400 --> 10:26.260]  the tool is not going to be an answer to all these problems,
[10:26.260 --> 10:30.500]  but we think it's a step to solve some of them at least.
[10:30.520 --> 10:35.160]  First of all, emulating adversarial behavior is costly,
[10:35.160 --> 10:39.780]  because their techniques are complex and requires time.
[10:39.780 --> 10:45.840]  And it's not common to see the tools created or used by malicious actors in the wild.
[10:45.840 --> 10:50.520]  That's why adversary emulation is an expensive exercise.
[10:51.000 --> 10:54.160]  Next thing is the scenario transparency.
[10:54.160 --> 11:00.160]  We have seen that adversarial emulation tools do not provide transparency in their scenarios.
[11:00.220 --> 11:02.720]  That's what we wanted to avoid by this tool.
[11:02.720 --> 11:09.720]  In our experience, we saw that there is a need for collaboration between red and blue teams,
[11:09.720 --> 11:14.220]  especially for internal security teams of big organizations.
[11:14.560 --> 11:22.560]  Blue teams cannot easily see the adversarial emulation behavior due to black box nature of the red team's attacks.
[11:22.560 --> 11:29.540]  This causes a problem in terms of improving their incident response capabilities efficiently.
[11:29.540 --> 11:32.700]  Another problem is tool availability.
[11:34.300 --> 11:40.640]  While emulating adversaries, tool availability is another issue.
[11:41.340 --> 11:49.000]  Red teams cannot easily find the tools used by the malicious actors, just like we mentioned in the cost challenge.
[11:49.000 --> 11:56.320]  Therefore, bringing all publicly available scenarios together, we think it will be the best option for red teams.
[11:58.200 --> 12:01.800]  Repeatability is another issue in adversary emulation.
[12:02.380 --> 12:07.340]  Why? Because sometimes during the red team engagement, a test may fail.
[12:07.640 --> 12:16.060]  But the device configuration may be changed at a later point by someone or by some service account.
[12:16.060 --> 12:20.220]  So, the same test may pass on another try.
[12:20.260 --> 12:28.040]  Therefore, it would be great to have some parts of adversary emulation engagements automated, continuous, and repeatable.
[12:28.040 --> 12:36.290]  It's nice to have a system where the security teams are able to schedule these tests to run at frequent intervals.
[12:37.350 --> 12:48.350]  Another issue is that adversary emulation exercises has some malicious softwares used by the red teams.
[12:48.350 --> 12:56.730]  So, these malicious software can cause unexpected situations on corporate devices and networks.
[12:57.190 --> 13:04.510]  It's also a great idea to have visibility on which software will be used during the engagement.
[13:06.490 --> 13:14.710]  What's more, there are also some challenges with regards to other tools used by the red teams.
[13:15.070 --> 13:25.310]  Like for the on-premise installation of simulation tools, updated attacks cannot easily be imported into the infrastructure, into the platforms.
[13:25.310 --> 13:32.730]  With this tool, the security engineer has the chance to point to a URI, to a repo, where everything is up to date.
[13:33.770 --> 13:44.470]  Investigating different commercial or open-source tools, we could get the general idea of how many scenarios are available for a security team.
[13:44.690 --> 13:52.690]  So, we saw that there are about 2000 scenarios in the wild, and all of them cannot be reached from a single place.
[13:54.050 --> 14:01.990]  Most of the tools used for emulation also do not take advantage of the open-source technology.
[14:01.990 --> 14:08.210]  Having a place of scenarios enriched by the red team community would be valuable to everyone.
[14:08.570 --> 14:14.830]  Reporting, on the other hand, is also another issue for the simulation tools.
[14:14.930 --> 14:21.430]  These tools do not provide enough information for understanding the attack surface and attack vectors.
[14:22.210 --> 14:29.230]  And finally, simulation tools are too complex for creating and updating scenarios.
[14:29.230 --> 14:34.030]  They don't have a general structure, like a standard model for scenarios.
[14:34.030 --> 14:41.450]  We tried to standardize this by a scenario model in the JSON format, that you can see in the slide.
[14:42.210 --> 14:52.030]  So, we have the ID specific to the scenario, with the initials of the tactic used there,
[14:52.030 --> 15:00.610]  and the tactic names, the description and name of the scenario, and the mapping to the MITRE ATT&CK framework.
[15:00.610 --> 15:07.710]  We also have the type of the scenario, like is it an endpoint scenario, is it a network or an APT.
[15:07.710 --> 15:13.770]  And also describing the platform, the operating system that it targets.
[15:18.110 --> 15:27.430]  So, overall, the MantCore platform, as we call it, this built-in scenario place, has the following features.
[15:27.430 --> 15:35.350]  First of all, the tool and the methodology we use in emulating adversarial attacks with this tool is open source.
[15:35.350 --> 15:39.770]  And therefore, this is very cost effective compared to commercial tools.
[15:40.310 --> 15:46.210]  We prepared a scenario environment that makes it faster and less complicated for red teamers.
[15:46.210 --> 15:53.210]  They can easily apply the tests from different open sources, like Atomic Red Team or Red Canary.
[15:54.070 --> 16:03.790]  It gives red teamers the access to the scenarios according to specific attack types, as divided in MITRE categories.
[16:03.790 --> 16:11.590]  And what's more important, the blue teamers will be able to see these attacks within a transparent process.
[16:11.690 --> 16:20.270]  The config files clearly show the sources of threat scenarios and the payloads used within it.
[16:21.130 --> 16:29.950]  Of course, organizations may still prefer to perform the blind engagement, blind red team engagement, depending on their security maturity.
[16:29.950 --> 16:37.850]  But we think a visible engagement plan can be much more helpful for most of the organizations.
[16:41.690 --> 16:52.150]  And so, blue teams, we talked about blue team detection and prevention to distribution of scenarios.
[16:52.150 --> 17:06.230]  While checking the scenarios, we saw that commercial and open source tools mostly have bias towards Windows environments.
[17:06.910 --> 17:19.830]  And the number of scenarios is distributed like 60% for Windows and 20% for macOS and 20% for Linux environments.
[17:19.830 --> 17:26.250]  With the community's support, it's possible to increase scenarios on the Mac and Linux side as well.
[17:26.250 --> 17:34.150]  And therefore, balancing this distribution would be a good product at the end.
[17:35.270 --> 17:42.990]  With this platform, APT scenarios can also be recreated and visible to both red teams and blue teams.
[17:42.990 --> 17:49.630]  Since everyone can contribute, red teams will have the chance to add advanced attack scenarios in their toolbox.
[17:49.830 --> 17:56.270]  And build a community to protect and improve defense against attack and breach scenarios.
[17:57.070 --> 18:06.970]  Now I will stop sharing the screen and Jörg Berg is going to tell you how we structured this tool, showing the GitHub repository.
[18:06.970 --> 18:15.090]  And finally, the more exciting part, we will show the demo of the tool and finally talk about our featured work.
[18:19.480 --> 18:26.180]  Hello again. Now we will continue with the presentation.
[18:29.580 --> 18:33.010]  Now we will look at the public threat repository.
[18:33.300 --> 18:39.500]  For this presentation, we released some complex scenarios on our GitHub account.
[18:39.680 --> 18:43.100]  We are mapping these scenarios to the Maitre.
[18:43.100 --> 18:53.320]  So far, we published three complex scenarios named as APT29, LOL beans and ransomware.
[18:53.760 --> 18:59.160]  In the next, this public repository includes publicly known scenarios.
[18:59.160 --> 19:05.460]  You can see this on our GitHub repository. Later we will go deeply into it.
[19:06.900 --> 19:13.080]  In the next slides, we will look at public threat scenarios, public scenario repository.
[19:13.100 --> 19:17.740]  We released threat scenarios on our GitHub account.
[19:17.740 --> 19:22.800]  All scenarios are again prepared with regards to Maitre.
[19:22.800 --> 19:27.780]  From these scenarios, complex scenario groups are generated.
[19:27.780 --> 19:32.040]  For example, if you look at ransomware emulation.
[19:32.040 --> 19:37.880]  Ransomware emulation includes two scenarios included in public scenario repository.
[19:37.880 --> 19:41.740]  It has two JSON files with their IDs.
[19:41.740 --> 19:48.640]  These include attack type, attack payloads and platform information. I will show you later that.
[19:51.150 --> 19:59.690]  For ransomware emulation, in this section, we will look at ransomware emulation scenarios for generating public scenarios.
[20:00.170 --> 20:05.330]  We have two different implementations for ransomware emulation.
[20:05.330 --> 20:11.410]  One of them is written by Go. The other one is PowerShell based.
[20:11.410 --> 20:19.330]  This released implementation is not covering all steps of real ransomware attack, but this is on purpose.
[20:19.370 --> 20:24.910]  Because we wanted to release a simplified implementation of this scenario.
[20:24.910 --> 20:30.410]  There is no CC or server communication or encrypting all files.
[20:30.410 --> 20:37.430]  We are encrypting a file that we create on the fly and decrypt it in this file.
[20:37.430 --> 20:44.490]  Adding the few missing points, these implementations can be converted to full ransomware emulation.
[20:44.490 --> 20:55.990]  Yet, our aim is to test if a defense mechanism could prevent the core function of ransomware, which is encrypting files.
[21:00.200 --> 21:06.040]  In this section, we will speak about Manticore Adversary Emulation CLI tool.
[21:07.040 --> 21:14.880]  This tool is working with public threat scenarios, which I showed earlier in another repository.
[21:15.040 --> 21:24.380]  As we said before, we have seen that adversary emulation tools do not provide transparency in some of their scenarios.
[21:24.380 --> 21:34.420]  Here, we publish command-line based adversary emulation tool that is fully open source to bring some visibility to how emulation works.
[21:36.040 --> 21:41.060]  All threats and scenarios are public and configurable.
[21:41.500 --> 21:48.900]  Red teamers, blue teamers can easily edit this tool according to their aim.
[21:48.900 --> 21:57.200]  Also, this CLI is developed in Go language for achieving multiplatform execution.
[21:57.200 --> 22:07.820]  This tool includes single config CLI, which is shown here, public scenarios, payloads, and threats.
[22:07.820 --> 22:13.660]  With this config CLI, command-line based tool emulates adversary.
[22:15.600 --> 22:21.290]  Now, we will look at our demo for this presentation.
[22:22.230 --> 22:32.710]  We have one remote machine and we will run adversary emulation scenarios here.
[22:33.410 --> 22:43.560]  For looking scenarios, which are used by the CLI tool, here we can see public threat repository.
[22:44.010 --> 22:48.170]  Here, we can see three different kinds of scenario collection.
[22:48.170 --> 22:56.470]  There are many scenarios in our backlog and we are importing all of these gradually.
[22:56.470 --> 23:00.270]  And these scenarios can be easily updated.
[23:01.750 --> 23:05.490]  All kind of these scenarios is compatible with Maitre.
[23:06.810 --> 23:15.270]  Firstly, we will look at our built-in scenario place before the demo.
[23:18.130 --> 23:20.610]  Demo of the CLI tool.
[23:20.710 --> 23:28.390]  Here, we can see which is shown in our public GitHub repository threat scenarios.
[23:28.390 --> 23:30.310]  We can see here too.
[23:30.310 --> 23:44.230]  For example, for PowerShell, one of the example scenarios, execute PowerShell from the CMD executable to collect and compress files of specific extensions.
[23:44.230 --> 23:46.510]  It is used by the Windows platforms.
[23:47.030 --> 23:50.990]  It is designed for the Windows platforms.
[23:51.210 --> 23:54.510]  There, we can see Maitre tags.
[23:54.570 --> 23:56.330]  Maitre tag name.
[23:56.330 --> 23:59.590]  Also, we can go into the scenario here.
[23:59.930 --> 24:04.190]  If we go here, we can see scenario.
[24:05.530 --> 24:14.970]  If we click on it, we can see there is a simple structure of the JS listed as scenario.
[24:15.270 --> 24:22.530]  Here, the technique, attack ID, name, type, platform and command and interface.
[24:22.530 --> 24:25.750]  You can see here, PowerShell is the interface.
[24:25.990 --> 24:28.470]  Also, you can see here the ID.
[24:29.530 --> 24:35.710]  Also, we said before too, we have many scenarios in our backlog.
[24:35.870 --> 24:39.390]  And we will try to import all of these scenarios.
[24:39.390 --> 24:46.350]  And we will release, we will publish them to Red Teamers, Blue Teamers, Purple Teamers.
[24:49.500 --> 24:58.020]  For now, we will execute the scenarios with our CLI tool instead of using UI interface.
[24:59.880 --> 25:07.580]  Next, we will look at our CLI tool, which is published on GitHub repository again.
[25:07.580 --> 25:12.540]  Here, we can see our Adversary Emulation Client CLI tool.
[25:12.840 --> 25:18.460]  You can easily compile this on your own infrastructure.
[25:18.460 --> 25:22.180]  Also, for ease of use, we published a release.
[25:22.180 --> 25:27.080]  Here, you can go into the release and you can download config.ini file.
[25:27.080 --> 25:31.120]  And you can download Manticore CLI executable.
[25:31.120 --> 25:38.620]  You can run this executable with the config.ini file within same directory.
[25:40.820 --> 25:45.080]  config.ini file includes three components.
[25:45.080 --> 25:51.200]  One of them is public direct group URL, which is used for complex scenario collection.
[25:52.420 --> 25:56.540]  Other one is public threat scenarios URL section.
[25:57.760 --> 26:01.180]  It shows threat scenario repository.
[26:01.180 --> 26:07.140]  Last one is the payload location, which is used for scenario payloads.
[26:07.220 --> 26:16.360]  For execution, as we told before, you simply compile or download executable and config.ini file.
[26:16.360 --> 26:20.700]  You cite necessary URLs for parsing repository on the platform.
[26:21.200 --> 26:29.560]  In the threat groups URL, you can give multiple URLs for emulation, as it accepts an array of URLs.
[26:29.780 --> 26:40.480]  Now, we will firstly will emulate LOLbins emulation for Dove landing a file from a remote server.
[26:40.980 --> 26:46.700]  As we can see here, we give threat group URL.
[26:47.200 --> 26:49.980]  We are coming our tool.
[26:49.980 --> 26:56.300]  Here, our config.ini file and multi-core CLI executable.
[26:56.300 --> 27:02.400]  When we run it, emulation is starting.
[27:28.500 --> 27:34.380]  We have some connection problems here.
[27:34.660 --> 27:37.320]  I will connect again.
[28:02.440 --> 28:08.740]  If we can see here, you can see LOLbin emulation.
[28:09.280 --> 28:12.620]  There are two binaries for Dove landing malicious executable.
[28:12.740 --> 28:19.300]  One of them is using certutil for Dove landing a file from a remote server.
[28:20.060 --> 28:27.740]  In the description, we can see this steps Dove landing a file from a remote web server to host using certutil.
[28:27.760 --> 28:38.540]  Also, we have a different second scenario uses bitsadmin.executable to Dove landing a file from a remote server.
[28:39.280 --> 28:41.380]  That can be seen here.
[28:46.900 --> 28:55.320]  Next, we will emulate ransomware which is published on the multi-core GitHub repository.
[28:58.140 --> 29:02.410]  If we go there, clearly we can see.
[29:03.680 --> 29:06.380]  It includes two phases.
[29:07.300 --> 29:15.380]  For generating this scenarios, we used ransomware emulation repository.
[29:16.240 --> 29:19.060]  First one is Go-based ransomware emulation.
[29:19.060 --> 29:22.960]  Second one is PowerShell-based ransomware emulation.
[29:23.060 --> 29:41.400]  If we edit our thread group URL, then we are running our CLI again.
[29:46.910 --> 29:55.190]  Firstly, Go-based multi-platform ransomware emulation is simulated.
[29:55.190 --> 30:00.440]  Also, secondly, PowerShell-based ransomware emulation is simulated.
[30:00.870 --> 30:04.300]  For example, if we look at the first scenario.
[30:04.730 --> 30:08.050]  First, ISK is generated.
[30:08.050 --> 30:13.250]  Then, encrypted ISK is generated via public key.
[30:13.250 --> 30:18.230]  Then, decrypted ISK via generated private key.
[30:18.570 --> 30:24.450]  Here, we can see encrypted file content and decrypted file content.
[30:25.190 --> 30:28.530]  And we can finally see scenario result here.
[30:29.670 --> 30:35.590]  If you wonder, for example, ransomware emulation executable here listed.
[30:35.590 --> 30:42.050]  As we said before, it is compiled from this repository.
[30:42.050 --> 30:47.130]  You can easily compile that and you can run in your infrastructure.
[30:52.260 --> 30:59.320]  Finally, we will add APT29 emulation URL in config file.
[30:59.320 --> 31:04.300]  Which does not show all scenarios, but few of them we will try to emulate.
[31:11.510 --> 31:19.210]  For being clear, if we go into APT21 JSON file.
[31:19.210 --> 31:22.810]  There we can see different scenario phases.
[31:22.910 --> 31:26.350]  And you can easily go into it.
[31:27.070 --> 31:29.250]  In our github repository.
[31:36.820 --> 31:39.020]  For example.
[31:43.200 --> 31:50.620]  In one of the examples, screen capture native api calls were used to collect a screenshot.
[31:50.620 --> 31:59.460]  It imports the getScreenshot.ps1 file, publish shell file, then call the function.
[31:59.460 --> 32:02.680]  And we will emulate now this one.
[32:02.680 --> 32:04.980]  We are closing that.
[32:11.150 --> 32:24.940]  I will check config file again.
[32:29.440 --> 32:33.340]  Here we can see scenario execution is continuing.
[33:08.220 --> 33:13.060]  Here we completed partially APT29 emulation.
[33:13.060 --> 33:17.080]  As we told before, it is partial.
[33:17.080 --> 33:23.300]  We have different kind of scenarios. You can clearly go them in our github repository.
[33:23.300 --> 33:31.680]  We are trying to import all available scenarios into our platform.
[33:31.680 --> 33:39.240]  Easily people can reach them and they can generate complex scenarios from them.
[33:42.960 --> 33:47.000]  If we continue our slides.
[33:50.350 --> 33:57.630]  For the future work, we are continuing to add all available scenarios to the repository.
[33:57.630 --> 34:04.830]  We are also working on the feature of running scheduled scenarios throughout the UI.
[34:05.690 --> 34:15.670]  Another plan is to integrate our threat intelligence framework into this scenario tool to contribute to the scenario generation and attack prevention.
[34:16.490 --> 34:23.590]  In the public release, we will add reporting feature that will be added.
[34:23.590 --> 34:37.590]  In the other hand, for achieving purple team, we will add security management software integration into our CLI tool and UI feature user interface.
[34:37.590 --> 34:47.070]  Easily red teamers, blue teamers can query which scenario is detected or prevented.
[34:47.890 --> 34:53.570]  In the next, we are waiting for the community support for this tool.
[34:55.130 --> 34:57.490]  Thanks for listening.
[34:57.870 --> 35:03.790]  If you have any questions, please ask us live in discord.
[35:03.790 --> 35:11.350]  Also, you can reach us if you want from this email address.
[35:11.350 --> 35:17.370]  Also, we are waiting for your support on our github platform.
[35:17.370 --> 35:18.890]  Thank you so much again.
